Using VACL to allow inbound connection to a server only but prevent that server from initiating connections
Hi,
We have an old windows server that has special legacy application on it but our security team wants that server locked down , i.e. Users can connect to it via telnet, ssh, RDP, etc....but that this server itself cannot connect to other servers and can't go out to the internet. We have tried playing with the windows firewall which meets some of the security needs but we still have to lock it down on the network level, so that if someone gets hold of the admin account PW, they can disable the windows firewall but still can't connect to the outside world.
I have tried using cisco VACL (we are using Version 12.2(52)SE, and my relevant VACL statements are as follows:
The server is sitting on this VLAN 1010. What I noticed though is that it looks like VACL cannot *sense* established connections so that if you are trying to connect to it or even ping it, even though perhaps inbound packets to the server are allowed, the VACL automatically blocks outgoing?
I also tried modifying the relevant access list clauses above to read:
but it didn't have the desired effect
...would appreciate any suggestions on how my requirements can be achieved.
Thanks
We have an old windows server that has special legacy application on it but our security team wants that server locked down , i.e. Users can connect to it via telnet, ssh, RDP, etc....but that this server itself cannot connect to other servers and can't go out to the internet. We have tried playing with the windows firewall which meets some of the security needs but we still have to lock it down on the network level, so that if someone gets hold of the admin account PW, they can disable the windows firewall but still can't connect to the outside world.
I have tried using cisco VACL (we are using Version 12.2(52)SE, and my relevant VACL statements are as follows:
ip access-list extended any_to_HC
permit ip any host 192.168.1.2
permit icmp any host 192.168.1.2
ip access-list extended HC_to_any
permit ip host 192.168.1.2 any
permit icmp host 192.168.1.2 any
!
-----------------------
vlan access-map VACL_isolate_HC 10
action drop
match ip address HC_to_any
vlan access-map VACL_isolate_HC 20
action forward
match ip address any_to_HC
------------
vlan filter VACL_isolate_HC vlan-list 1010The server is sitting on this VLAN 1010. What I noticed though is that it looks like VACL cannot *sense* established connections so that if you are trying to connect to it or even ping it, even though perhaps inbound packets to the server are allowed, the VACL automatically blocks outgoing?
I also tried modifying the relevant access list clauses above to read:
permit tcp host 192.168.1.2 any establishedbut it didn't have the desired effect
...would appreciate any suggestions on how my requirements can be achieved.
Thanks
VACL is usually used to block intervlan traffic, traffic between hosts in VLAN.
So if your server is in the same VLAN with other servers you can (to block traffic to other hosts in the same VLAN):
- permit traffic that need to be forwarded to default gateway
- drop all other traffic
example
Filtering all other traffic (to internet or any other destination) should be done by ACL, not VACL.
So if your server is in the same VLAN with other servers you can (to block traffic to other hosts in the same VLAN):
- permit traffic that need to be forwarded to default gateway
- drop all other traffic
example
Filtering all other traffic (to internet or any other destination) should be done by ACL, not VACL.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found the answer myself.
Using an ACL only allowing
The other only allow ports of services that need to be accessed to respond.
what ports is the application on, .....